Presentation is loading. Please wait.

Presentation is loading. Please wait.

HTTP and Server Security James Walden Northern Kentucky University.

Published byClarissa Beasley Modified over 9 years ago

Similar presentations

Presentation on theme: "HTTP and Server Security James Walden Northern Kentucky University."— Presentation transcript:

1 HTTP and Server Security James Walden Northern Kentucky University

2 CSC 666: Secure Software Engineering Topics 1.OWASP Top 10 2.HTTP Vulnerabilities 3.Web Servers

3 CSC 666: Secure Software Engineering OWASP Top 10 2007 1.Cross Site Scripting (XSS) 2.Injection Flaws 3.Insecure Remote File Include 4.Insecure Direct Object Reference 5.Cross Site Request Forgery (CSRF) 6.Information Leakage and Improper Error Handling 7.Broken Authentication and Session Management 8.Insecure Cryptographic Storage 9.Insecure Communications 10.Failure to Restrict URL Access http://www.owasp.org/index.php/Top_10

4 CSC 666: Secure Software Engineering Vulnerability Trends for 2006

5 CSC 666: Secure Software Engineering Dangerous HTTP Methods HTTP MethodDescription PUTUploads file to a specified location. DELETEDeletes specified file from server. COPYCopies file to path in Destination header. MOVEMoves file to path in Destination header. SEARCHSearches directory path for resources. PROPFINDRetrieves information about resources, such as author, size, content-type. TRACEReturns exact request received by header in response body. Can be used to bypass HttpOnly cookie protection against XSS attacks.

6 CSC 666: Secure Software Engineering TRACE $ telnet localhost 80 Trying... Connected to 127.0.0.1. Escape character is '^]'. TRACE / HTTP/1.1 Host: foo x-myheader: spam HTTP/1.1 200 OK Date: Mon, 04 Mar 2009 12:34:45 GMT Server: Apache/1.3.13 (Unix) Connection: close Content-Type: message/http TRACE / HTTP/1.0 x-myheader: spam Host: foo Connection closed.

7 CSC 666: Secure Software Engineering HTTP Headers HTTP headers can be vulnerable to  SQL injection  XSS Most commonly vulnerable headers  Referer  User-Agent String userAgent = request.getHeader(“user-agent”); String sQuery = “DELETE FROM UP_USER_UA_MAP WHERE USER_ID=“ + userId + “ AND USER_AGENT=‘” + userAgent + “’”... stmt.executeUpdate(sQuery);

8 CSC 666: Secure Software Engineering HTTP Header Injection Injecting data into HTTP headers.  Requires ability to send CR/LF.  Impacts headers + body (worse than XSS.) Example: GET /foo.php?uid=123%0d%0aFoo:+bar HTTP/1.1 Host: example.com HTTP/1.1 200 OK Set-Cookie: UserId=123 Foo: bar

9 CSC 666: Secure Software Engineering HTTP Response Splitting Example GET /foo.php?uid=123%0d%0aFoo:+bar%0d%0a %0d%0a foo %0d%0aHTTP/1.1+200+OK %0d%0aContent-Length:+1234 Admin Login HTTP/1.1 200 OK Set-Cookie: UserId=123 Foo: bar foo HTTP/1.1 200 OK Content-Length: 1234 Admin Login Use header injection to create a 2 nd response.

10 CSC 666: Secure Software Engineering HTTP Response Splitting Use URL to create two HTTP responses.  First partially under attacker control.  Second entirely under attacker control. Where can the vulnerability be found:  Anywhere user data inserted in headers.  Most commonly in redirects. Attacks  Web proxy cache poisoning to do XSS, phishing, etc.

11 CSC 666: Secure Software Engineering Cache Poisoning Attack 1.Select a page to poison in proxy cache.  Replace /admin with phishing trojan. 2.Locate header injection vulnerability.  Inject second response body with trojan. 3.Connect to proxy and send requests. 1.First request is header injection described above. 2.Second request is for page that’s being poisoned. 4.Proxy talks to app, gets response. 5.Proxy interprets 2 nd response body as response to attacker’s 2 nd pipelined request.  Updates cache with trojan version.

12 CSC 666: Secure Software Engineering Web Server Issues  Admin interfaces  Default content  Directory listings  Proxy capabilities

13 CSC 666: Secure Software Engineering Admin Interfaces Admin services often run on different port. 8008: IBM WebSphere 8080: Apache Tomcat May be accessible via Host header. Host: example.com:8080 Even if firewall blocks that port. May have default credentials. Tomcat:, Sun JavaServer:

14 CSC 666: Secure Software Engineering Default Content Default content includes  Debug + test functions.  Sample scripts.  Manuals + images. Example: phpinfo.php

15 CSC 666: Secure Software Engineering Directory Listings Web server may respond to dir request by  Returning default resource in directory, such as index.html.  Returning an error, such as 403 Forbidden.  Returning a listing of the directory. Directory listings may lead to problems:  Leftover files, such as backups, logs, etc.  Attacker can identify resources that may not be properly protected by access control.

16 CSC 666: Secure Software Engineering Web Server as Proxy  Web servers sometimes configured as proxies to send requests to other servers.  If may be possible to use a server proxy to  Attack third-party systems on the Internet.  Access internal systems that are protected by the firewall from direct external access.  Access other services on internal host that are protected by the firewall.

17 CSC 666: Secure Software Engineering Testing for Proxies Modify URL to access other hosts: telnet example.com 80 GET http://other.example.com:80/ HTTP/1.0http://other.example.com:80/ Use the CONNECT method telnet example.com 80 CONNECT other.example.com:80 HTTP/1.0 Can use to port scan Try combinations of IP address + port. If receive banner, then port is open on IP.

18 References 1.Brian Chess and Jacob West, Secure Programming with Static Analysis, Addison- Wesley, 2007. 2.Billy Hoffman and Bryan Sullivan, AJAX Security, Addison-Wesley, 2008. 3.Paco Hope and Ben Walther, Web Security Testing Cookbook, O’Reilly, 2009. 4.Sanctum, “HTTP Response Splitting Whitepaper,” http://www.packetstormsecurity.org/papers/gen eral/whitepaper_httpresponse.pdf, 2004. http://www.packetstormsecurity.org/papers/gen eral/whitepaper_httpresponse.pdf 5.Dafydd Stuttart and Marcus Pinto, The Web Application Hacker’s Handbook, Wiley, 2008.

Download ppt "HTTP and Server Security James Walden Northern Kentucky University."

Similar presentations

Webgoat.

Webgoat.
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
OWASP Web Vulnerabilities and Auditing

OWASP Web Vulnerabilities and Auditing
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 22 World Wide Web and HTTP.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 22 World Wide Web and HTTP.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Authentication James Walden Northern Kentucky University.

Authentication James Walden Northern Kentucky University.
Web Service Security James Walden Northern Kentucky University.

Web Service Security James Walden Northern Kentucky University.
HTTP – HyperText Transfer Protocol

HTTP – HyperText Transfer Protocol
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
HTTP Hypertext Transfer Protocol. HTTP messages HTTP is the language that web clients and web servers use to talk to each other –HTTP is largely “under.

HTTP Hypertext Transfer Protocol. HTTP messages HTTP is the language that web clients and web servers use to talk to each other –HTTP is largely “under.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
The World Wide Web and the Internet Dr Jim Briggs 1WUCM1.

The World Wide Web and the Internet Dr Jim Briggs 1WUCM1.
Hypertext Transfer Protocol Information Systems 337 Prof. Harry Plantinga.

Hypertext Transfer Protocol Information Systems 337 Prof. Harry Plantinga.
2/9/2004 Web and HTTP February 9, 2004. 2/9/2004 Assignments Due – Reading and Warmup Work on Message of the Day.

2/9/2004 Web and HTTP February 9, /9/2004 Assignments Due – Reading and Warmup Work on Message of the Day.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Rensselaer Polytechnic Institute CSC-432 – Operating Systems David Goldschmidt, Ph.D.

Rensselaer Polytechnic Institute CSC-432 – Operating Systems David Goldschmidt, Ph.D.

Similar presentations

Ads by Google